Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 18

Thread: setTimeout()

  1. #1
    New Coder
    Join Date
    Oct 2005
    Posts
    14
    Thanks
    1
    Thanked 0 Times in 0 Posts

    setTimeout()

    Can setTimeout() be blocked from working on a site? Is this possible?

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Sure...just turn off JavaScript in your browser.

    Of course, chances are pretty good that then the rest of the website won't work worth beans. <shrug>You pays your money and takes your choice.</shrug>

  • #3
    New Coder
    Join Date
    Oct 2005
    Posts
    14
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Nice, yea that would work but I'm talking about a site being able to block a user from using it in a script. I wrote a script that pull info then adds a little back and everything works fine as long as I don't have setTimeout in the script. If I add it to the script it won't work, and I know how to use setTimeout pretty good, tested the script and it always falls back to the setTimeout which I think the sites blocking...

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    I can think of ways to do it. Depends on how your JS is being added to the site.

    Hmmm...I wonder what happens if you simply define your own setTimeout( ) function? Will it hide the window.setTimeout() native function??

  • #5
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,731
    Thanks
    202
    Thanked 2,508 Times in 2,486 Posts
    Why wonder?

    Code:
    <script type = "text/javascript">
    function setTimeout(){
    alert ("Boo!");
    tim = setTimeout("setTimeout()",2000);
    }
    
    setTimeout()
    </script>
    But here's a lol -

    Code:
    <script type = "text/javascript">
    function setTimeout(){
    alert ("Boo!");
    tim = setTimeout("",2000);
    }
    
    setTimeout()
    </script>

  • #6
    New Coder
    Join Date
    Oct 2005
    Posts
    14
    Thanks
    1
    Thanked 0 Times in 0 Posts
    nope... I tried it like the way you have it and here's the outcome:

    Code:
    function setTimeout(){
    alert ("Boo!");
    tim = setTimeout("",2000);
    }
    
    setTimeout()
    Doesn't work...


    Code:
    function setShoutout(){
    alert ("Boo!");
    }
    
    setShoutout()
    Works...

    Code:
    function setShoutout(){
    alert ("Boo!");
    tim = setTimeout("",2000);
    }
    
    setShoutout()
    Doesn't work...

    Code:
    function setTimeout(){
    alert ("Boo!");
    }
    
    setTimeout()
    Doesn't work...

    Anything that has SetTimeout in it doesn't work... even if you have:

    Code:
    alert ("I yelled: setTimeout");
    You get back: "I yelled: "

  • #7
    Banned
    Join Date
    Nov 2008
    Location
    not found
    Posts
    284
    Thanks
    0
    Thanked 53 Times in 51 Posts
    Quote Originally Posted by Makien View Post
    Anything that has SetTimeout in it doesn't work... even if you have:

    Code:
    alert ("I yelled: setTimeout");
    You get back: "I yelled: "
    When you're on that site, what happens if you type:

    javascript:alert(setTimeout)

    into the address bar and press Enter?

    If it alerts 'native code', try adding this to your script immediately prior to where you would call setTimeout, then call st in place of setTimeout.

    var st = window[unescape("%73%65%74%54%69%6d%65%6f%75%74")];

  • #8
    Supreme Master coder! Philip M's Avatar
    Join Date
    Jun 2002
    Location
    London, England
    Posts
    17,731
    Thanks
    202
    Thanked 2,508 Times in 2,486 Posts
    alert ("I yelled: setTimeout"); works in IE6.


    Code:
    <script type = "text/javascript">
    function setTimeout(){
    alert ("I yelled: setTimeout");
    tim = setTimeout("setTimeout()",2000);
    }
    
    setTimeout()
    </script>
    Above also works in IE6 in that the alert "I yelled: setTimeout" shows, but the timeout triggers right away, even if the time is changed to a higher value such as 25000.

    Conclusion: don't give a function the name of a Javascript method. I guess that similar problems would arise with functions 'checked()' or 'replace()' or parseInt()'.

    Code:
    <script type = "text/javascript">
    function parseInt(){
    x= 12.34
    y = parseInt(x);
    alert (y);
    }
    parseInt();
    </script>
    results in a stack overflow.

  • #9
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Philip: He means that ON THAT SITE, where he is dumping in his own JS code, they are suppressing setTimeout.

    That would obviously be trivial to do if the user must supply his "site" code (including JS) as a text file that is then run by the site. They just mangle the code before allowing it to run. I *thought* he had implied that he is using a <script src="http://www.hissite.com/somecode.js">, but he didn't state that, so maybe I read too much into the post.

    Hmmm...I guess even that wouldn't be too hard to mangle: They look for such "includes" and, instead of dumping them in directly, they pull them through their own filter.

    That is, when they see
    <script src="http://www.hissite.com/somecode.js">
    they mangle it into
    <script src="filterExternalJs.php?src=http://www.hissite.com/somecode.js">
    or similar.

    If you have to deliver text to them, they can pretty much mangle your code as much as they want.

  • #10
    New Coder
    Join Date
    Jun 2009
    Posts
    81
    Thanks
    0
    Thanked 8 Times in 8 Posts
    This kills the window setTimeout method by over-writing it.
    uncomment the first line to kill setTimeout.

    Code:
    //window.setTimeout=new Function("return false"); 
    function test(){
    	alert('setTimeout is working');
    }
    window.onload = function(){
    	setTimeout(test,100)
    }

  • #11
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by rdspoons View Post
    This kills the window setTimeout method by over-writing it.
    uncomment the first line to kill setTimeout.

    Code:
    //window.setTimeout=new Function("return false"); 
    function test(){
    	alert('setTimeout is working');
    }
    window.onload = function(){
    	setTimeout(test,100)
    }
    i doubt IE8 is gonna like that...
    in ecma5 that's verboten as well.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #12
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Yeah, guys, but you are missing the point of the original poster.

    He is trying to drop his JS code onto some website (Facebook??? Or similar?) and that site is killing all occurrences of setTimeout.

    If you look at his post #6 in this thread, you'll see this:
    Anything that has SetTimeout in it doesn't work... even if you have:
    Code:
        alert ("I yelled: setTimeout");
    You get back: "I yelled: "
    So that means that the site is looking for the *TEXT* "setTimeout" and wiping it out. Nothing to do with overwriting a function, apparently.

    My fault for suggesting the overwrite of setTimeout in the first place, since it's not relevant to the actual question here.

  • #13
    Senior Coder rnd me's Avatar
    Join Date
    Jun 2007
    Location
    Urbana
    Posts
    4,184
    Thanks
    10
    Thanked 569 Times in 550 Posts
    Quote Originally Posted by Old Pedant View Post
    ... the site is looking for the *TEXT* "setTimeout" and wiping it out. Nothing to do with overwriting a function, apparently.
    in that case, put on your XSS hat and hope we are smarter than they are.

    Most likely, they are using some kind of a regexp to try to find "setTimeout", so don't say "setTimeout", make an alias:

    try:
    Code:
    window.ST=window[String.fromCharCode(115,101,116,84,105,109,101,111,117,116)];
    
    ST("alert('hello world')", 500);
    tested FF3

    if this doesn't work (though i bet it will), perhaps a different escape sequence can sneak by the filter.
    google "xss cheatsheet" and try some of those techniques as well.

    there's a million ways to deliver javascript; chances are you can find one that they overlooked!
    Last edited by rnd me; 06-30-2009 at 03:51 AM.
    my site (updated 13/9/26)
    BROWSER STATS [% share] (2014/1/19) IE7:0.2, IE8:6.7, IE11:7.4, IE9:3.8, IE10:4.4, FF:18.3, CH:43.6, SF:7.8, MOBILE:27.5

  • #14
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,020
    Thanks
    75
    Thanked 4,323 Times in 4,289 Posts
    Yeah, I think that's got a good chance of working. Since they clearly *are* searching for text "setTimeout" maybe they'll miss that.

    I know another sneaky way: Use AJAX (well, XMLHTTP) to hit a service that does nothing but wait a given time. Or hit an invalid URL, on purpose, after setting a specified timeout on the XMLHTTP object. Ehhh...but if they are blocking setTimeout, they are probably blocking XMLHTTP.

  • #15
    New Coder
    Join Date
    Oct 2005
    Posts
    14
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Whoa... go away for the weekend and comeback to tons of stuff lol. Thanks for all the posts and ideas so lets see if I can break it all down.

    First I'm not going to mention the site because it's against their policy to use scripts (but everyone does). The site had some code changes lately so some of my codes where broken, they were easily fixed except one, the smallest one.

    @randomuser773
    Yea I did get the native code so setTimeout is working, but I don't know why they'd block this and not anything else, though a lot of scripts use setTimeout. I tried you code but it still doesn't work.

    Here's the section of the code:
    Code:
    setTimeout("window.location.replace('" + rootPath + "trial_page.php')", 5000);
    Here's what I tested:
    Code:
    var st = window[unescape("%73%65%74%54%69%6d%65%6f%75%74")];
    st("window.location.replace('" + rootPath + "trial_page.php')", 5000);
    also:
    Code:
    window.ST=window[String.fromCharCode(115,101,116,84,105,109,101,111,117,116)];
    ST("window.location.replace('" + rootPath + "trial_page.php')", 5000);
    None worked.

    I also think Philip M is on to something when saying that setTimeout is being called to fast, even when changing the time. I think the site is using this somehow to block it, though that is an opinion.

    I'll have to keep testing different things. I tried adding a pause in the script but that just cause the script to crash....


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •